A number of stories have run today about an independent security firm’s identification of certain potential security vulnerabilities in AMX systems. Unfortunately, these stories are confusing, and we would like to clarify a number of the issues that have been discussed.
First, we want to clarify the risks and terms being discussed. “Black widow” was an internal name for a legacy diagnostic and maintenance login for customer support of technical issues. Commonly used in legacy systems, it was not “hidden” as suggested, nor did it provide access to customer information. While such a login is useful for diagnostics and maintenance, during our routine security review in the summer of 2015, we determined that it would be prudent to eliminate this feature as part of a comprehensive software update. We informed our customers and the update was deployed in December 2015.
“1MB@tMaN” was an entirely different internal feature that allowed internal system devices to communicate. It was not an external login nor was it accessible from outside of the product. The “1MB@tMaN” internal system device capability also was not related to nor a replacement for the “Black Widow” diagnostic login. The only connection was the fact that our software update that eliminated “Black Widow” also provided an update to the “1MB@tMaN” internal capability that eliminated this name.
The firmware update, NX v1.4.65 is applicable to products and systems incorporating the NetLinx NX Control platform and was released on Dec 22, 2015. It is available on AMX.com. More information on this release can be found athttp://www.amx.com/techcenter/NXSecurityBrief/Default.asp. This issue has been addressed in legacy NI series by Hotfix v. 4.1.419 and is available from AMX Technical Support.
In terms of the names, these were light hearted internal project names that our programmers used with no intended meaning.
We take security very seriously and are continuously testing our own systems and capabilities and developing more sophisticated updates.
Was there ever any potential significant threat?
There are multiple layers of security in these systems and we did not see serious risks due to the issues we identified. In addition, we are not aware of any breaches.
Did this consultant reveal the issue?
While we appreciate the interest of the security consultant that posted the story, AMX had already identified the issues through our routine security review and had been working on the solution internally.
The Wire is a virtual press conference. It contains press releases from credentialed industry organizations and manufacturers. Releases are not reviewed or edited by SVConline editorial staff.
To request credentials, email
AMX Media StatementAMX by Harman addresses blog post by SEC Consult claiming to discover security vulnerability in AMX devices and systems 1/26/2016 12:32 PM
- Boston University School of Law Outfitted With Biamp Systems' Tesira Platform
- Biamp Systems Powers Shared_Studios' Portals at TED2017
- AMETEK ESP Enhances Diagnostic Capabilities of ESP NextGen Line and Introduces a 30-Amp Envision Power Conditioning System
- Texas Tech Joins the Ranks of Danley Sound Labs Basketball Arenas
- Grammy Award-Winning Engineer and Producer Rafa Sardina Uses Pauly Pop Filters for Vocals, Bass and Drums
- Ashly DSP Cleans Up New York's La Birreria Rooftop Restaurant and Microbrewery at Eataly
- Powersoft Amplifiers Help The Oxford Social Club Seamlessly Shift from Classy Lounge to Night Club
- Anton/Bauer Introduces LPD Discharger At 2017 NAB Show
- 'Teradek Live Show' To Utilize High-End Robotic Movement With the Vinten Vantage
- Howl at the Moon Chain Upgrades with Qu-Pac